Use shared app JWT for manager access

src/schemas/user.ts

@@ -1,7 +1,6 @@
 import { GraphQLError } from 'graphql'
-import { randomBytes } from 'crypto'
 import { prisma } from '../db.js'
-import { SESSION_TOKEN_PREFIX, type AuthContext } from '../auth.js'
+import { issueAppJwt, type AuthContext } from '../auth.js'
 
 const OTP_TTL_MINUTES = Number.parseInt(process.env.LOGIN_OTP_TTL_MINUTES || '10', 10)
 const SESSION_TTL_DAYS = Number.parseInt(process.env.LOGIN_SESSION_TTL_DAYS || '30', 10)
@@ -181,13 +180,6 @@ async function mapProfileUser(profile: Awaited<ReturnType<typeof getOrCreateProf
   }
 }
 
-async function issueSession(userId: number) {
-  const token = `${SESSION_TOKEN_PREFIX}${randomBytes(32).toString('hex')}`
-  const expiresAt = new Date(Date.now() + SESSION_TTL_DAYS * 24 * 60 * 60 * 1000)
-  await prisma.authSession.create({ data: { token, userId, expiresAt } })
-  return { token, expiresAt }
-}
-
 async function verifyPhoneLogin(phone: string, code: string) {
   const normalizedPhone = normalizePhone(phone)
   const challenge = await prisma.loginChallenge.findFirst({
@@ -203,10 +195,12 @@ async function verifyPhoneLogin(phone: string, code: string) {
 
   await prisma.loginChallenge.update({ where: { id: challenge.id }, data: { usedAt: new Date() } })
   const profile = await getOrCreateProfileByPhone(normalizedPhone)
-  const session = await issueSession(profile.userId)
+  const isManager = await isManagerUser(profile.userId)
+  const token = await issueAppJwt({ userId: profile.logtoId, teamUuid: profile.activeTeam?.uuid ?? null, isManager })
+  const expiresAt = new Date(Date.now() + SESSION_TTL_DAYS * 24 * 60 * 60 * 1000)
   return {
-    token: session.token,
-    sessionExpiresAt: session.expiresAt.toISOString(),
+    token,
+    sessionExpiresAt: expiresAt.toISOString(),
     user: await mapProfileUser(profile),
   }
 }